b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n  THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n           IMPLEMENTATION OF\n  EARNED VALUE MANAGEMENT SYSTEMS\n\n\n    September 2006    A-14-06-26085\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 18, 2006                                                   Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: The Social Security Administration\xe2\x80\x99s Implementation of Earned Value Management\n        Systems (A-14-06-26085)\n\n\n        OBJECTIVE\n        The objective of our review was to determine whether the Social Security Administration\n        (SSA) has implemented Earned Value Management Systems (EVMS) for Information\n        Technology (IT) projects in accordance with the Office of Management and Budget\n        (OMB) and other related guidance.\n\n        BACKGROUND\n\n        According to OMB, \xe2\x80\x9cEarned value management (EVM) is a project (investment)\n        management tool effectively integrating the investment scope of work with schedule and\n        cost elements for optimum investment planning and control.\xe2\x80\x9d 1 It is a numerical\n        representation of project costs and schedule status. Earned Value (EV) is the budgeted\n        value earned when the budgeted work is performed. EV is then compared to the actual\n        costs and the planned values (budgets) to measure performance.\n\n        On August 23, 2004, OMB issued Memorandum M-04-24, Expanded Electronic\n        Government (E-Gov) President\xe2\x80\x99s Management Agenda (PMA) Scorecard Cost,\n        Schedule and Performance Standard for Success. This memorandum sets forth the\n        criteria to be used and evidence necessary to evaluate whether a Federal agency has\n        complied with E-Gov EVM standard. This refers to the American National Standards\n        Institute (ANSI) / Electronic Industries Alliance Standard 748 (ANSI Standard). To\n        achieve a \xe2\x80\x9cgreen\xe2\x80\x9d level of performance for the PMA initiative, the agency\xe2\x80\x99s actual\n        performance cannot vary by more than 10 percent from its cost, schedule and\n        performance goals.\n\n\n\n\n        1\n            OMB Circular No. A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets,\n            section 300.4.\n\x0cPage 2 - The Commissioner\n\n\nThis audit examined SSA\xe2\x80\x99s initial establishment of its EVM process and systems.\nDuring this audit, we reviewed, analyzed and evaluated SSA\xe2\x80\x99s EVM policies and\nprocedures and examined SSA\xe2\x80\x99s EVM process against OMB\xe2\x80\x99s guidance and related\nstandards. We also reviewed financial, budgetary and managerial systems, as well as\ndocumentation relevant to SSA\'s implementation and use of EVMS.\n\nRESULTS OF REVIEW\n\nSignificant SSA Achievement\n\nBased on our review of SSA EVM systems, processes and procedures, we have\nconcluded that SSA has generally implemented an EVM system to manage its major IT\nprojects in accordance with OMB guidance. According to SSA, some of the EVMS\nrequirements were not used based on the Agency\xe2\x80\x99s costs/benefits analysis. For those\nEVM requirements not instituted, SSA plans to periodically reevaluate its practices\nthroughout the EVMS life cycle.\n\nSSA has made major efforts contributing to significant achievements to comply with\nOMB\xe2\x80\x99s guidances. SSA has:\n\n   \xe2\x80\xa2   established its EVM Program Management Office (PMO) as the focal point of\n       EVM;\n   \xe2\x80\xa2   completed its EVM Policy and EVM System Description by the OMB deadline,\n       December 31, 2005;\n   \xe2\x80\xa2   completed Integrated Baseline Reviews (IBR) for 13 of its 14 major IT projects\n       requiring EVM by the OMB deadline, March 31, 2006. The remaining project has\n       been approved by OMB and is in the preparation stage of IBR;\n   \xe2\x80\xa2   updated and integrated its current systems and improved the automation of its\n       EVM processing;\n   \xe2\x80\xa2   began generating and using some standard EVM reports for project\n       management; and\n   \xe2\x80\xa2   conducted extensive EVM training within SSA.\n\nOur review showed that SSA EVMS has some areas that can be improved. These\nareas limit the effectiveness of SSA\xe2\x80\x99s EVM process and its IT development project\nmanagement. SSA uses estimated labor costs while the ANSI Standard requires the\nuse of actual costs. We also determined that SSA has control weaknesses in its data\ncollecting system for direct labor; SSA\xe2\x80\x99s baseline change and maintenance policy and\npractice, and its IBR procedures also need improvement.\n\x0cPage 3 - The Commissioner\n\n\nSSA Does Not Use Actual Labor Costs\n\nSSA does not use actual labor costs or costs reconcilable to its accounting systems for\nEVM as required by ANSI standard. 2 Instead, it uses an estimate based on an average\nhourly rate. 3 This flat labor rate then is used with the actual labor hours to determine\nwhat SSA reports as the actual direct labor costs for IT projects. The results are\nestimated labor costs. These estimated costs are compared with the project baseline\nto measure performance. SSA has chosen this method after considering the additional\nimplementation costs and efforts by using actual labor costs.\n\nThis practice does not fully comply with ANSI Standard (see Appendix C for additional\ndiscussion). Under SSA\'s current EVM practice, an hour of direct labor of a Grade\n9 employee is not different from that of a Grade 15 employee. Comparison of budgets\nwith actual costs is fundamental for EVM. We recommend that SSA conduct a cost-\nbenefit analysis to determine whether to use actual costs or reconcilable costs in its\nEVM process.\n\nResource Accounting System Needs Improvement in Data Reliability, Accuracy,\nand Completeness\n\nSSA uses the Resource Accounting System (RAS) to collect time reported by SSA\nemployees within the Office of Systems (OS). Hours charged to projects, leave, and\nadministrative activity are captured on a daily basis and used for reporting by OS\nmanagement. A monthly report is provided for EVM processing. Due to control and\nmanagement weaknesses, the RAS data used for EVM analysis and reporting needs to\nbe improved to achieve a higher level of reliability, completeness, and accuracy. Some\nof the weaknesses we found are as follows (see Appendix C for a full discussion of RAS\ncontrol weaknesses):\n\n       \xe2\x80\xa2   Controls do not ensure the completion of data entry before RAS data extracts are\n           generated for EVM processing.\n       \xe2\x80\xa2   RAS data can be retroactively changed by both the employees and the\n           supervisors without proper control. The ANSI Standard requires control of any\n           retroactive changes to actual costs. 4\n       \xe2\x80\xa2   RAS contains only OS hours.\n\n\n\n2\n    ANSI Standard 2.4 a requires using actual cost data from, or reconcilable with, the accounting system.\n3\n     The Agency\'s Office of Budget uses estimated payroll and benefit costs to derive an average work year\n    cost of the Office of Systems. To compute an hourly rate, the average annual rate is divided by the\n    average number of hours devoted to direct project-related activities. This hourly average rate is derived\n    from historical Resource Accounting System /Mainframe Time and Attendance System data.\n4\n    ANSI Standard 2.5 c requires control of retroactive changes to records for actual costs, earned value, or\n    budgets.\n\x0cPage 4 - The Commissioner\n\n\nSSA concurred with our findings and agreed to make improvements. To comply with\nthe reconciliation requirement of the ANSI Standard, SSA is implementing a control on\nthe RAS \xe2\x80\x93 Reconciliation Exceptions Report. This report is an automatic reconciliation\nbetween RAS and the Mainframe Time and Attendance System (MTAS). MTAS,\nupdated by SSA time keepers, is used to update SSA\xe2\x80\x99s payroll system. RAS data can\nbe significantly improved, if proper control processes are implemented in concert with\nthis report.\n\nSSA has made significant progress and plans to further improve the data collection\nsystem for EVM, but still needs to implement effective controls to ensure all direct labor\nhours are correctly entered into RAS before monthly EVM processing starts. For\ncomponents other than OS, SSA also needs to have a mechanism to collect direct labor\nhours devoted to its EVM projects.\n\nBaseline Maintenance and Changes\n\nPerformance Measurement Baseline (PMB) is the time-phased budget that reflects the\nschedule and planned scope of all authorized work for the project. PMB provides the\nproject manager a reference to assess project performance. The National Defense\nIndustrial Association (NDIA) Intent Guide states that: \xe2\x80\x9cAny changes to the project must\nbe approved and implemented following the baseline management control process.\xe2\x80\x9d 5\nThe ANSI Standard prohibits unauthorized changes to baseline. 6 \xe2\x80\x9cChanges made\noutside the authorized baseline control processes compromise the integrity of\nperformance trend data and delay visibility into overall project variance from plan.\xe2\x80\x9d 7\n\nSSA\xe2\x80\x99s EVM policy allows detail level changes to its PMB without proper controls. SSA\xe2\x80\x99s\nEVM System Description states, \xe2\x80\x9cDetail level schedule and budget changes -\nPermitted as long as master program schedules and control account (CA) schedules\nand budgets are not impacted.\xe2\x80\x9d 8 SSA\'s CA can be a project\'s \xe2\x80\x9cDevelopment\xe2\x80\x9d stage of\nthe life cycle, which can last many months and contains significant project resources.\n\nThis policy provides opportunities for manipulating EVM performance results; therefore,\nthe process needs to be properly controlled. SSA concurred with our finding and plans\nto update its EVM System Description and implement a standard EVM report that will\ntrack baseline changes. SSA expects to complete these changes by the end of\nCalendar Year (CY) 2006.\n\n\n\n\n5\n    NDIA Intent Guide, Intent Guideline 31.\n6\n    ANSI Standard 2.5 d.\n7\n    NDIA Intent Guide, management value of ANSI Standard 2.5.d, page 37.\n8\n    SSA EVM System Description 3.9.3.\n\x0cPage 5 - The Commissioner\n\n\nSSA Procedure Could Allow Changes to OMB Approved Baseline\n\nThe essence of EVM rests in the comparison of planned values (baseline) with actual\nvalues. However, SSA\xe2\x80\x99s Overtime Procedure for EVM processing allows periodic\n(quarterly) adjustments to the project baseline.\n\nSuch practices could undermine what the EVM process is designed to achieve \xe2\x80\x93 timely\nalerts of project issues, such as budget overruns. Increasing budgets of existing project\nbaselines would eliminate the EVM variances that indicate potential budget overruns.\n\nIn addition, OMB requires that actual project costs be compared with OMB\xe2\x80\x99s approved\nbaseline. 9 SSA needs to inform and obtain approval from OMB and ensure that EV\nvariances are calculated based on the OMB approved baseline.\n\nSSA concurred with our finding, and as noted above, is updating its EVM System\nDescription to include proper OMB notification and approval. SSA expects to complete\nthese changes by the end of CY 2006.\n\nSSA Needs to Improve Its IBR Process\n\nThe purpose of an IBR is to provide project/program managers with an understanding of\nthe PMB and project risks and to obtain an agreement on a plan of corrective actions to\nremediate the identified risks. A project\xe2\x80\x99s PMB is assessed for its completeness,\naccuracy and reasonableness during the IBR process.\n\n    Our review of SSA\xe2\x80\x99s IBR documentation for its 10 IT major projects shows that SSA\xe2\x80\x99s\n    IBR process ensures that costs, schedules, and project scope are accurately and\n    properly integrated into the PMB. However, we also noted that there are areas where\n    SSA needs improvement for its future IBRs (See Appendix C for details).\n\n       \xe2\x80\xa2   The independent IBR evaluation team needs the required technical expertise to\n           conduct the review.\n       \xe2\x80\xa2   SSA needs to improve its analysis and documentation of risks and mitigations.\n       \xe2\x80\xa2   SSA\'s IBR process should assess the resources needed for addressing risks.\n       \xe2\x80\xa2   IBR participants need to receive sufficient training specific to IBR which must be\n           adequately documented.\n       \xe2\x80\xa2   Project Managers need to be involved in all stages of the IBR process.\n\nSSA concurred with our findings and agreed to make improvements to comply with\nOMB guidance.\n\n\n\n9\n    OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets,\n    Exhibit 300, I.H.4 A.\n\x0cPage 6 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nWe concluded that SSA has generally implemented an EVM system to track costs,\nschedules, and the progress of its major IT projects as directed by OMB. SSA has\ndevoted efforts, which resulted in significant progress to obtain compliance with EVM\nrequirements. OMB has recognized SSA\xe2\x80\x99s progress in EVM and rated SSA \xe2\x80\x9cGreen\xe2\x80\x9d on\nthe PMA E-Gov Scorecard for the first quarter of CY 2006.\n\nOur review shows there are areas of SSA\xe2\x80\x99s EVM system that need improvement.\nImplementation of the following recommendations will provide SSA with a more effective\nEVM system that allows the Agency to better manage its IT development projects. We\nrecommend SSA:\n1. Conduct a cost-benefit analysis to determine whether to use actual cost or\n   reconcilable cost data in the EVM process;\n2. Implement controls to ensure SSA employees accurately complete RAS inputs before\n   RAS data is provided for EVM processing and RAS codes are properly closed after\n   Post Implementation Review, and to control retroactive changes to RAS data;\n3. Consider an agency-wide mechanism that would allow all SSA components to track\n   EVM project-related efforts;\n4. Continue to implement the automated reconciliation between RAS and MTAS and\n   use reconciled data for EVM processing;\n5. Implement controls to all baseline changes and obtain OMB\xe2\x80\x99s approval when\n   allocation of overtime budget to project occurs;\n6. Ensure members of the IBR evaluation team and all IBR participants have\n   programmatic or technical expertise and receive IBR specific training;\n7. Ensure that project risks are identified and discussed between the project\n   management team and the IBR evaluation team;\n8. Categorize, analyze, and document the risks identified, including resource needs,\n   during the IBR process in accordance with SSA\xe2\x80\x99s IBR policy and OMB\xe2\x80\x99s\n   recommended guidance; and\n9. Ensure project managers plan and perform the IBRs, and monitor the progress of\n   the IBRs.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix D.\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Selected Earned Value Management Criteria and Social Security\n             Administration Earned Value Management Practices\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                  Appendix A\n\nAcronyms\nANSI                American National Standards Institute\nANSI Standard       American National Standards Institute /Electronic Industries\n                    Alliance Standard 748\nCA                  Control Account\nCY                  Calendar Year\nE-Gov               Electronic Government\nEIA                 Electronic Industries Alliance\nEV                  Earned Value\nEVM                 Earned Value Management\nEVMS                Earned Value Management System\nIBR                 Integrated Baseline Review\nIT                  Information Technology\nMS                  Microsoft\nMTAS                Mainframe Time and Attendance System\nNDIA                National Defense Industrial Association\nNDIA IBR Guide      National Defense Industrial Association Program Management\n                    Systems Committee The Program Managers\xe2\x80\x99 Guide to the\n                    Integrated Baseline Review Process\nNDIA Intent Guide   NDIA PMSC ANSI/EIA-748-A Standard for EVMS Intent Guide\nOMB                 Office of Management and Budget\nOS                  Office of Systems\nPM                  Project Manger\nPMA                 President\xe2\x80\x99s Management Agenda\nPMB                 Performance Measurement Baseline\nPMO                 Program Management Office\nPMSC                Program Management Systems Committee\nRAS                 Resource Accounting System\nRIMS                Risk Identification and Mitigation System\nSSA                 Social Security Administration\nWY                  Work Year\n\x0c                                                                     Appendix B\n\nScope and Methodology\nOur objective was to determine whether the Social Security Administration (SSA) has\nimplemented Earned Value Management Systems (EVMS) for Information Technology\n(IT) projects in accordance with the Office of Management and Budget (OMB) and other\nrelated guidance. The scope of this audit was limited to SSA\xe2\x80\x99s Earned Value\nManagement (EVM) general policy, procedure, practices, and systems design and\ncontrols. We did not examine SSA\xe2\x80\x99s EVM at project level.\n\nTo achieve our objective, we:\n\n1. Reviewed the following OMB and OMB recommended criteria:\n   \xe2\x80\xa2   OMB Memorandum M-05-23, Improving Information Technology (IT) Project\n       Planning and Execution;\n   \xe2\x80\xa2   OMB Memorandum M-04-24, Expanded Electronic Government (E-Gov)\n       President\xe2\x80\x99s Management Agenda (PMA) Scorecard Cost, Schedule and\n       Performance Standard for Success;\n   \xe2\x80\xa2   OMB Circular No. A-11 Part 7, Planning, Budgeting, Acquisition, and\n       Management of Capital Assets;\n   \xe2\x80\xa2   National Defense Industrial Association (NDIA) Program Management Systems\n       Committee (PMSC), ANSI/EIA-748-A-Standard for Earned Value Management\n       Systems Intent Guide;\n   \xe2\x80\xa2   NDIA PMSC, Surveillance Guide;\n   \xe2\x80\xa2   NDIA PMSC, The Program Managers\xe2\x80\x99 Guide to the Integrated Baseline Review\n       Process; and\n   \xe2\x80\xa2   Department of Defense, Earned Value Management Implementation Guide.\n\n2. Interviewed representatives from SSA\xe2\x80\x99s:\n   \xe2\x80\xa2   Office of Systems, EVM Program Management Office;\n   \xe2\x80\xa2   Office of Systems, Budget Staff, Administrative Budget Team, IT Systems Team\n       and Resource Management Team;\n   \xe2\x80\xa2   Office of Systems, Planning Staff;\n   \xe2\x80\xa2   Office of Systems, Office of Enterprise Support, Architecture & Engineering,\n       Division of Process Engineering, Project and Customer Service, Project Control\n       and Customer Relations Branch; and\n   \xe2\x80\xa2   Office of Chief Information Officer, Office of Information Technology Systems\n       Review.\n\n\n                                            B-1\n\x0c3. Reviewed and analyzed the following relevant EVM documents:\n   \xe2\x80\xa2   SSA Policy for Earned Value Management for Major Information Technology\n       Projects;\n   \xe2\x80\xa2   SSA Earned Value Management System Description;\n   \xe2\x80\xa2   SSA Earned Value Management System Study by Lockheed Martin Information\n       Technology;\n   \xe2\x80\xa2   OMB Assessment of the Earned Value Management System at the SSA (Gap\n       Analysis);\n   \xe2\x80\xa2   Other SSA EVM planning, analysis and reporting documents.\n\n4. Obtained understanding of the following relevant SSA EVM planning, data collecting,\n   and analysis systems, and SSA financial accounting systems:\n   \xe2\x80\xa2   IT Systems QuickPlace;\n   \xe2\x80\xa2   Electronic General Auditable Document Store;\n   \xe2\x80\xa2   IT Proposal Application;\n   \xe2\x80\xa2   IT Systems Plan Database;\n   \xe2\x80\xa2   Resource Accounting System / Mainframe Time and Attendance System;\n   \xe2\x80\xa2   Automated Purchase Requisition System;\n   \xe2\x80\xa2   Social Security Streamlined Acquisition System;\n   \xe2\x80\xa2   Risk Identification & Mitigation System;\n   \xe2\x80\xa2   Vital Signs & Observations Report system;\n   \xe2\x80\xa2   Microsoft Project; and\n   \xe2\x80\xa2   wInsight.\n\nWe reviewed EVM for the entire Agency. We performed our field work at SSA\nHeadquarters from January to May 2006 and focused on the Office of Systems. We\ndetermined that the data used in this report was sufficiently reliable to meet our audit\nobjectives and intended use of the data. We determined that our use of this data should\nnot lead to an incorrect or unintentional message. This audit was conducted in\naccordance with generally accepted government auditing standards.\n\n\n\n\n                                           B-2\n\x0c                                                                                   Appendix C\n\nSelected Earned Value Management Criteria and\nSocial Security Administration Earned Value\nManagement Practices\nGeneral Criteria\n\nOn August 4, 2005, Office of Management and Budget (OMB) issued Memorandum\nM-05-23, Improving Information Technology (IT) Project Planning and Execution, to\nprovide assistance to agencies in monitoring and improving project planning and fully\nimplementing Earned Value Management Systems (EVMS) for IT projects. Agencies\nare now required to ensure improved execution and performance while promoting more\neffective oversight on all new major IT projects, ongoing major IT developmental\nprojects, and high-risk projects. The requirements for full implementation of EVMS for\nIT projects include:\n\n         1. Develop comprehensive agency policies;\n         2. Incorporate EVMS requirements in contracts and agency in-house project\n            charters;\n         3. Conduct compliance reviews of agency and contractor EVMS;\n         4. Perform periodic systems surveillance reviews to ensure the EVMS continues\n            to meet the guidelines in American National Standards Institute (ANSI) /\n            Electronic Industries Association Standard 748 (ANSI Standard); and\n         5. Use Integrated Baseline Reviews (IBR) to finalize the cost, schedule and\n            performance goals.\n\nEVM Standard and SSA practice related to project costs\n\nAccording to Earned Value Management (EVM) standards and guidelines, actual direct\ncosts need to be recorded in a manner consistent to formal accounting systems. 1 If\ntiming differences exist between data of the EVM systems and accounting systems,\nthey need to be reconciled. 2\n\n\n\n\n1\n    ANSI Standard 2.3 a: \xe2\x80\x9cRecord direct costs in a manner consistent with the budgets in a formal system\n    controlled by the general books of account.\xe2\x80\x9d\n2\n National Defense Industrial Association (NDIA) Program Management Systems Committee (PMSC)\nANSI/EIA-748-A Standard for Earned Value Management Systems Intent Guide, Intent Guideline 16.\n\n                                                    C-1\n\x0cAlthough the Social Security Administration\xe2\x80\x99s (SSA) estimated labor costs used for EVM\nanalysis are recorded in a manner consistent with its budgeting method, they are not\nrecorded in consistence with SSA\'s accounting system for labor - Payroll. Since the\n\xe2\x80\x9cactual\xe2\x80\x9d labor costs are estimated, they are not reconcilable to accounting data.\n\nSSA decided to use a flat labor rate to estimate actual direct labor costs to its IT\nprojects largely to keep implementation costs down. This flat rate method is already\nused for its IT planning and budgeting process for years. SSA\'s IT planning process\nonly requires an estimate of total number of Work Years (WY) to complete a project.\nThe average WY cost then is applied to derive the total direct labor budget for the\nproject. This process does not distinguish employees with different pay grades.\nAnother factor is SSA\xe2\x80\x99s use of Microsoft (MS) Project software for project management\nand EVM purposes. MS Project requires the use of resource rates. For example, all\nbudgets and actual costs for labor are populated in MS Project file by labor hours. Then\ndollar amount budgets and actuals are calculated using a flat labor rate.\n\nResource Accounting System Control Weaknesses\n\nOur review of SSA\xe2\x80\x99s Resource Accounting System (RAS) revealed the following control\nand management weaknesses:\n\n\xe2\x80\xa2   Controls do not ensure the completion of data entry before RAS data extracts are\n    generated for EVM processing.\n\n\xe2\x80\xa2   RAS data can be retroactively changed by either the employees or the supervisors\n    without proper control. Employees and their supervisors can use the RAS input\n    screen to go back to any prior pay periods and make changes. In addition, SSA\n    does not maintain an audit trail of RAS changes.\n\n\xe2\x80\xa2   We have examined a monthly RAS data extract that contained the total number of\n    hours worked monthly for each IT project. This file shows numerous negative\n    numbers of hours that represent the changes made to the past periods. These\n    negative numbers indicate that changes were made, however, since there is no\n    audit trail, SSA does not know when or who made what changes.\n\n\xe2\x80\xa2   RAS contains only Office of Systems (OS) hours. For some IT projects, SSA uses\n    an Excel Template to collect actuals for components other than OS. However, non-\n    development direct labor hours of other SSA components are not captured in RAS\n    and not included in the EVM calculation. EVM guidance requires that all costs be\n    included in the project and recognizes the importance of visibility into direct and\n    indirect costs.\n\n\xe2\x80\xa2   RAS data is not reconciled with SSA\'s payroll system as required by the ANSI\n    Standard.\n\n\n\n\n                                          C-2\n\x0c\xe2\x80\xa2     We have found two completed projects where time was still charged to the RAS\n      Project codes. SSA\'s policy is to close a project\'s RAS code when Post\n      Implementation Review or Lessons Learned is completed.\n\nIBR Requirement and SSA Practice\n\nOMB requires that agencies conduct independent validations to ensure the\nreasonableness of the costs, schedules, and performance goals of major IT projects.\nAccording to OMB, "Agencies currently using Integrated Baseline Reviews (IBRs), may\nsubstitute an IBR for an independent assessment.\xe2\x80\x9d 3 SSA has chosen to conduct IBRs\ninstead of independent validations for its major IT projects and has implemented IBR\npolicy and procedures.\n\nOur review of SSA IBR documentation for its 10 IT major projects shows that SSA\xe2\x80\x99s IBR\nprocess ensure that costs, schedules, and project scope are accurately and properly\nintegrated in the PMB. However, we also noted that there are areas where SSA needs\nimprovement for its future IBRs.\n\nIssue 1: The independent IBR evaluation team needs the required technical\nexpertise to conduct the review.\n\nAccording to the OMB recommended IBR guidance, the National Defense Industrial\nAssociation Program Management Systems Committee The Program Managers\xe2\x80\x99 Guide\nto the Integrated Baseline Review Process (NDIA IBR Guide), IBR \xe2\x80\x9c\xe2\x80\xa6participants\nshould be identified based on their programmatic or technical expertise, as required for\nthe review.\xe2\x80\x9d 4 SSA\xe2\x80\x99s IBR evaluation team is comprised of EVM Program Management\nOffice (PMO) staff, OS Planning staff, System Process Improvement staff, and PMO\nsupport contractors and does not include the project managers. As a result, the\nevaluation team does not have the required programmatic or technical expertise. The\ntechnical expertise required in the IBR evaluation team is essential during the technical\nrisks identification and remediation processes and in determining the reasonableness of\nproject costs and schedules.\n\nAccording to OMB, for agencies that performed most of their own systems\ndevelopment, it is appropriate for one project management team to evaluate another\nproject management team for IBR purposes.\n\nIssue 2: SSA needs to improve its analysis and documentation of risks and\nmitigations.\n\nSSA adopted the risk management method specified in NDIA IBR Guide that the IBR\n\n3\n    OMB Memorandum M-5-23, Improving Information Technology (IT) Project Planning and Execution,\n    Attachment A, footnote 5.\n4\n    National Defense Industrial Association (NDIA) Program Management Systems Committee (PMSC) The\n    Program Managers\xe2\x80\x99 Guide to the Integrated Baseline Review Process (NDIA IBR Guide), page 10.\n\n\n                                                 C-3\n\x0cprocess should identify and categorize project risks in the following five categories:\ntechnical, schedule, cost, resource, and management process risks at control account\nlevel. SSA\xe2\x80\x99s IBR documentation shows that project management teams referred to the\nRisk Identification and Mitigation System (RIMS) for documentation of risk\nmanagement. However, SSA RIMS criteria do not match the criteria specified in the\nNDIA IBR guide and SSA\xe2\x80\x99s own IBR policy. RIMS documents and categorizes risks into\nhigh, medium, and low, according to their severity and probability of occurrence.\n\nIn addition, according to the NDIA IBR guide, reviewing and reviewed parties need to\nobtain a mutual understanding of project risks and agree on the plan of corrective\nactions. The process should also include an assessment of impact on resources if the\nrisks occurred. SSA\'s remediation approaches specified in the RIMS Quick Reference\nguide does not include an assessment of resources needed to address the risks.\n\nSSA needs to ensure the project risks be identified and discussed between the project\nmanagement team and the evaluation team during the IBR process. SSA also needs to\ndocument project risks and their remediation in accordance with its own IBR policy and\nOMB recommended guidance.\n\nIssue 3: SSA\'s IBR process should assess the resources needed for addressing\nrisks.\n\nThe NDIA IBR Guide requires that the IBR team should assess the resources needed\nwith respect to project risk not accounted for in the PMB. The guide also requires\ndocumentation of schedule and cost rough-order-of-magnitude impact on PMB for each\nrisk area. 5 SSA\xe2\x80\x99s IBR process does not require an assessment of resources needed for\naddressing identified risks.\n\nSSA needs to discuss and assess the resources needed for addressing the risks\nidentified during the IBR process.\n\nIssue 4: IBR participants need to receive sufficient training specific to IBR which\nmust be adequately documented.\n\nAccording to the NDIA IBR Guide, "Training is essential to ensure that the IBR team can\nidentify and adequately assess project risk." 6 SSA\xe2\x80\x99s PMO stated that, although not\nincluded in the IBR documentation, the IBR evaluation team had obtained IBR specific\ntraining by conducting multiple weekly meetings prior to the IBR to understand the IBR\nprocess and requirements. However, the IBR documentation does not show that other\nparticipants of the IBR process received IBR specific training.\n\n\n\n5\n    Rough-order-of-magnitude is a range estimate. For example, the direct labor needed for certain jobs is\n    between 1-3 WY.\n6\n    NDIA IBR Guide, page 11.\n\n\n                                                     C-4\n\x0cSSA needs to improve the documentation of IBR specific training and ensure that all\nIBR participants receive sufficient training before the review starts to ensure a proper\nunderstanding of IBR purposes and procedures.\n\nIssue 5: Project Managers need to be involved in all stages of the IBR process.\n\nThe documentation we reviewed did not show that project managers (PM) were\ninvolved in the planning process. Rather, IBRs were planned, led, and conducted by\nthe IBR evaluation team that does not include the PMs. According to the NDIA IBR\nGuide, PMs play an essential role in the IBR process and should be involved in the IBR\nplanning process and all other processes. PMs should bear the responsibility for the\nwhole IBR Process.\n\nFor future IBRs, SSA should ensure that PMs:\n\n   \xe2\x80\xa2   Plan and perform the IBR;\n   \xe2\x80\xa2   Provide an adequate number of qualified personnel to serve as IBR team\n       members;\n   \xe2\x80\xa2   Specify evaluation criteria for risk areas;\n   \xe2\x80\xa2   Document risk issues identified during an IBR; and\n   \xe2\x80\xa2   Monitor progress on required actions until issues are resolved.\n\n\n\n\n                                             C-5\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                        SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 7, 2006                                                    Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye     /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Implementation of Earned Value Management Systems\xe2\x80\x9d (A-14-06-26085)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report are\n           attached.\n\n           Please let me know if you have any questions. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Comments\n\n\n\n\n                                                        D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S (OIG) DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S IMPLEMENTATION OF\nEARNED VALUE MANAGEMENT SYSTEMS\xe2\x80\x9d (A-14-06-26085)\n\nThank you for the opportunity to review and provide comments on this OIG draft report. The\nreport indicates that the Social Security Administration (SSA) has taken several significant\nactions to implement an Earned Value Management (EVM) process for managing SSA\ninformation technology (IT) projects in accordance with Office of Management and Budget\n(OMB) guidance. In addition to the many SSA achievements in this area cited in this OIG\nreport, we have also deployed EVM methodology in preparing budget submission documents in\nsupport of funding for major IT investments.\n\nTo further enhance our EVM process, our EVM Program Management Office (PMO) will\ndedicate three government employee full-time equivalents and seven contractor work years for\nFiscal Year 2007 to improving and automating our EVM and related processes and procedures.\nThe EVM PMO is also integrally involved with the Systems Planning And Reporting System\ninitiative, which will automate and integrate our management, planning and accounting systems\ninto a single database.\n\nWe have the following comments on the OIG draft report recommendations.\n\nRecommendation 1\n\nConduct a cost-benefit analysis to determine whether to use actual cost or reconcilable cost data\nin the EVM process.\n\nComment\n\nWe agree. A cost-benefit analysis will be performed to determine the feasibility of using actual\npersonnel dollars in the EVM process.\n\nRecommendation 2\n\nImplement controls to ensure SSA employees accurately complete Resource Accounting System\n(RAS) inputs before RAS data is provided for EVM processing and RAS codes are properly\nclosed after Post Implementation Review, and to control retroactive changes to RAS data.\n\nComment\n\nWe agree. We have implemented two significant improvements that address this\nrecommendation. First, RAS reporting (timeliness and accuracy) will be included in SSA\nemployee performance evaluations. Second, we have established a RAS change control process\nthat includes a form requiring approval of RAS inputs from an EVM PMO lead staff member.\nIn addition, Office of Systems\xe2\x80\x99 senior management has increased the amount of communication\nabout the critical importance of accurate and timely RAS reporting.\n\n\n\n                                               D-2\n\x0cRecommendation 3\n\nConsider an Agency-wide mechanism that would allow all SSA components to track EVM\nproject-related efforts.\n\nComment\n\nWe agree. As part of our present efforts to enhance our EVM process, we will determine the\nfeasibility and cost-effectiveness of developing the recommended mechanism.\n\nRecommendation 4\n\nContinue to implement the automated reconciliation between RAS and the Mainframe Time and\nAttendance System (MTAS) and use reconciled data for EVM processing.\n\nComment\n\nWe agree. The RASMTAS Hyperion Reporting System now includes a Reconciliation Report\nthat produces an exception report by SSA component, pay period, and employee hours reported\nto RASMTAS and hours in MTAS.\n\nRecommendation 5\n\nImplement controls to all baseline changes and obtain OMB\xe2\x80\x99s approval when allocation of\novertime budget to project occurs.\n\nComment\n\nWe agree. We have re-written the applicable portion of the System Description, established a\nBaseline Change Request form, and adopted approval and control processes in accordance with\nthis OIG recommendation. Baseline changes are submitted to OMB\nin accordance with OMB requirements. This process applies to all baseline changes,\nincluding allocation of overtime hours to programs.\n\nRecommendation 6\n\nEnsure members of the Integrated Baseline Review (IBR) evaluation team and all IBR\nparticipants have programmatic or technical expertise and receive IBR specific training.\n\nSee comment for recommendation 9.\n\nRecommendation 7\n\nEnsure that project risks are identified and discussed between the project management team and\nthe IBR evaluation team.\nSee comment for recommendation 9.\n\n\n                                               D-3\n\x0cRecommendation 8\n\nCategorize, analyze, and document the risks identified, including resource needs, during the IBR\nprocess in accordance with SSA\'s IBR policy and OMB\'s recommended guidance.\n\nSee comment for recommendation 9.\n\nRecommendation 9\n\nEnsure project managers plan and perform the IBRs, and monitor the progress of the IBRs.\n\nComment\n\nWe agree with recommendations 6 - 9. SSA staff has taken Defense Acquisition University IBR\ntraining and will follow these OIG recommendations and other guidance for improvement during\nour next IBR. We intend to ask OIG to participate on the IBR Team.\n\n\n\n\n                                              D-4\n\x0c                                                                      Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audit Division, (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, General Controls Team, (410) 965-9719\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Grace Chi, Auditor-in-Charge\n\n   Harold Hunter, Senior Auditor\n\n   Annette DeRito, Writer/Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-06-26085.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'